Print Download PDF Send Feedback

Previous

Next

Multiple Security Groups

In This Section:

Description

Preliminary Steps

Upgrading Chassis B

Failing Over to Chassis B

Upgrading Chassis A

Failing Over to Chassis A

Verification

Enabling Multiple Security Groups

For more information about the Multiple Security Groups, see the R76SP.50 Administration Guide.

This section provides specific upgrade steps from the existing release to the new release with the support of Multiple Security Groups.

Description

The Multiple Security Groups feature lets you configure more than one Security Group on the same Scalable Platform.

To support Multiple Security Groups in R76SP.50, it is mandatory to install these on your Scalable Platform:

  1. R76SP.50 Take 148 and above. See sk115735.
  2. R76SP.50 Jumbo Hotfix Accumulator Take 161 and above. See sk117633.

Important - Multiple Security Groups feature is not supported in R76SP.50 Build 84 and R76SP.50 Jumbo Hotfix Accumulator Takes 16 - 105. It is mandatory to re-image the SGMs with the required R76SP.50 Take and install the required Jumbo Hotfix Accumulator Take. If you only install the required Jumbo Hotfix Accumulator on top of R76SP.50 Build 84, attempt to enable Multiple Security Groups is blocked.

Preliminary Steps

Important Note for VSX Virtual System Load Sharing mode - The upgrade procedure requires to change the configuration from the VSX Virtual System Load Sharing mode to the VSX High Availability mode. After the upgrade procedure is complete, manually configure the system from the VSX High Availability mode back to the VSX Virtual System Load Sharing mode.

The upgrade procedure below applies to Dual Chassis setup.

Step

Operation

Command

1

Make sure that your Management Server runs version R76 or higher.

If not, upgrade your Management Server.

# fwm ver

2

Back up your 60000/40000 Security Platform.

 

2a

On each Chassis, create a snapshot of one SGM.

Note - Run the commands on an arbitrary SGM on Chassis A and on Chassis B.

> set global-mode 0

> add snapshot pre_upgrade

2b

On each Chassis, make sure that the snapshot was created successfully.

> show snapshots

2c

On each Chassis, export the snapshot.

> set snapshot export pre_upgrade path /var/log/

> show snapshots

> set global-mode 1

2d

On each Chassis, copy the exported snapshot to an external media or a remote server:

/var/log/pre_upgrade.tgz

 

2e

On each Chassis, collect configuration settings and system status information into a data file:

/var/log/asg_report.<host_name>_<date_stamp>_tar.gz

> asg_info -f

3

On a Chassis in VSX VSLS mode only:

Change the VSX mode from the VSLS to the High Availability.

> set chassis high-availability mode 0

4

Download the R76SP.50 ISO image required for Multiple Security Groups from the R76SP.50 60000/40000 Security Platforms Home Page.

You need this image during the upgrade procedure.

 

Upgrading Chassis B

Step

Operation

Command

5

Set Chassis B to administratively DOWN state.

# asg chassis_admin –c <Chassis_B_ID> down

6

On Chassis B, perform a Clean Install of the required R76SP.50 ISO on each SGM.

Install the image on all the SGMs at the same time, or create a bootable USB media for each SGM.

7

On Chassis B, wait until all members are in UP state and enforcing policy.

> asg monitor

8

On Chassis B, reset the SSMs to factory default.

Important - Run these commands from a serial connection on Chassis B. This reset interrupts all traffic, including the SSH.

> asg_chassis_ctrl reload_ssm_default 1

> asg_chassis_ctrl reload_ssm_default 2

9

On Chassis B, install the required Jumbo Hotfix Accumulator.

 

9a

Copy the installation *.tgz package to the SMO:

Check_Point_R76SP_50_upgrade.linux.tgz

 

9b

Create a temporary directory on the SMO in the /home/admin/ directory.

> mkdir -v /home/admin/temp

If such temporary directory already exists, first delete it with this command:
> g_all rm -rf /home/admin/temp

9c

Extract the *.tgz package to the temporary directory.

> tar -xvzf /home/admin/Check_Point_R76SP_50_upgrade.linux.tgz -C /home/admin/temp/

9d

Start the Jumbo Hotfix Accumulator installation script.

Important - Make sure to run the script from Chassis A and not Chassis B.

> cd /home/admin/temp/

> ./AsgInstallScript -b chassis <Chassis_B_ID>

10

Make sure all SGMs show the correct version.

Note - SGMs on Chassis A show as failed because at this time, SGMs on Chassis A and SGMs on Chassis B have different versions. This is normal. Continue to the next step.

# asg_version -v

11

Set Chassis B to administratively UP state.

# asg chassis_admin –c <Chassis_B_ID> up

12

On Chassis B, run the diagnostics.

> asg policy verify –a [-vs all]

> asg_route -a [--vs all]

13

Make sure that Chassis B is UP and enforces security policy.

Important - You must correct all errors shown by the diagnostics before you continue to the next step.

> asg stat -v

Failing Over to Chassis B

Step

Operation

Command

14

Set Chassis A to administratively DOWN state.

> asg chassis_admin -c <Chassis_A_ID> down

15

On Chassis B, make sure that all SGMs are UP, and that traffic flows normally.

Important - Make sure Chassis B works correctly before you upgrade Chassis A.

> asg monitor [-vs all]

> asg perf [-vs all] -v

Upgrading Chassis A

Step

Operation

Command

16

Set Chassis A to administratively DOWN state.

# asg chassis_admin –c <Chassis_A_ID> down

17

On Chassis A, perform a Clean Install of the required R76SP.50 ISO on each SGM.

Install the image on all the SGMs at the same time, or create a bootable USB media for each SGM.

18

On Chassis A, wait until all members are in UP state and enforcing policy.

> asg monitor

19

On Chassis A, reset the SSMs to factory default.

Important - Run these commands from a serial connection on Chassis A. This reset interrupts all traffic, including the SSH.

> asg_chassis_ctrl reload_ssm_default 1

> asg_chassis_ctrl reload_ssm_default 2

20

On Chassis A, install the required Jumbo Hotfix Accumulator.

 

20a

Copy the installation *.tgz package to the SMO:

Check_Point_R76SP_50_upgrade.linux.tgz

 

20b

Create a temporary directory on the SMO in the /home/admin/ directory.

> mkdir -v /home/admin/temp

If such temporary directory already exists, first delete it with this command:
> g_all rm -rf /home/admin/temp

20c

Extract the *.tgz package to the temporary directory.

> tar -xvzf /home/admin/Check_Point_R76SP_50_upgrade.linux.tgz -C /home/admin/temp/

20d

Start the Jumbo Hotfix Accumulator installation script.

Important - Make sure to run the script from Chassis A and not Chassis B.

> cd /home/admin/temp/

> ./AsgInstallScript -b chassis <Chassis_A_ID>

21

Make sure all SGMs show the correct version.

Note - SGMs on Chassis B show as failed, or show a previous version. This is normal. Continue to the next step.

# asg_version -v

22

Set Chassis A to administratively UP state.

# asg chassis_admin –c <Chassis_A_ID> up

23

On Chassis A, run the diagnostics.

> asg policy verify –a [-vs all]

> asg_route -a [--vs all]

24

Make sure that Chassis A is UP and enforces security policy.

Important - You must correct all errors shown by the diagnostics before you continue to the next step.

> asg stat -v

Failing Over to Chassis A

Step

Operation

Command

25

Set Chassis B to administratively DOWN state.

> asg chassis_admin -c <Chassis_B_ID> down

26

On Chassis A, make sure that all SGMs are UP, and that traffic flows normally.

> asg monitor [-vs all]

> asg perf [-vs all] -v

Verification

Step

Operation

Command

26

Make sure all SGMs show the correct version.

> asg_version -v

27

On a Chassis in VSX VSLS mode only:

Change the VSX mode from the High Availability to the VSLS.

> set chassis high-availability mode 4

28

Make sure all SGMs and SSMs are up to date, and that the system is configured correctly.

> asg diag verify

Enabling Multiple Security Groups

Follow the instructions in the R76SP.50 Administration Guide - Chapter 60000/40000 Security Platforms - Section Multiple Security Groups.